Skip to main content

Configure Automated User Provisioning with Okta

Configure CoreWeave Automated User Provisioning with Okta

Automated User Provisioning (AUP) lets you instantly sync users and groups from your identity provider (IdP) to the Cloud Console, using the SCIM (System for Cross-domain Identity Management) standard. You no longer need to send invites or wait for users to log in.

This guide shows how to set up AUP with Okta as the IdP.

Prerequisites

  • Admin access to the CoreWeave Cloud Console.
  • Admin access to the Okta dashboard.

Create SAML SSO integration

Users created via AUP must use SAML SSO for authentication, so you must configure SAML SSO first.

  1. Open the Cloud Console and the Okta dashboard in separate windows.

    • In Cloud Console: Go to IAM > SAML SSO in the sidebar, then click Configure SAML.
    • In Okta: Go to Applications, click Create App Integration, and select SAML 2.0.

For the next few steps, the Cloud Console displays details for your integration that you'll need to provide in Okta.

  1. Copy the ACS URL from the Cloud Console and paste it into Okta's Single sign-on URL field. Leave the checkbox checked (for Use this for Recipient URL and Destination URL).

  2. Copy the Entity ID from the Cloud Console and paste it into Okta's Audience URI (SP Entity ID) field.

  3. In Okta, within the SAML Attributes > Sign-on tab, add the following SAML SSO attributes in the Attribute Statements section:

    • Name: first_name; Value: user.firstName
    • Name: last_name; Value: user.lastName
    • Name: email; Value: user.email

    Click Next.

  4. For App Type, select This is an internal app we have created, and click Finish.

  5. The Okta dashboard displays a page with details for your integration. This time, you will copy values from the Okta dashboard and paste them into the Identity Provider section in Cloud Console. In the Okta dashbaord, ensure the Sign-on tab is selected. Under Sign-on methods, and below Metadata details, expand the More details carat to reveal more sign-on details.

    • Copy the Sign-on URL, and then paste the value into the SSO URL field in Cloud Console.
    • Copy the Issuer, and then paste the value into the Entity ID field in Cloud Console.
    • Copy the Signing Certificate, and then paste the value into the Signing certificate field in Cloud Console.

  6. In Cloud Console, click Next and then click Deploy SSO.

Configure one-way SCIM

Set up one-way SCIM provisioning so the Cloud Console can receive user and group information from Okta.

  1. In the Cloud Console, toggle Enable SCIM.

  2. In Okta:

    • On your integration's General tab, click Edit in the App Settings card.
    • Set Provisioning to SCIM radio button, and click Save.

  3. Go to the Provisioning tab in Okta:

    • Click Edit in the SCIM Connection section.
    • Set SCIM Connector base URL to https://api.coreweave.com/scim/[org-userid]. Find your org ID in the ACS URL (from Cloud Console) https://console.coreweave.com/accounts/saml/[org-userid]/acs.
    • Set Unique identifier field for users to userName.
    • For Supported provisioning actions: select Push New Users, Push Profile Updates, and Push Groups. Do not enable any import options.
    • Set Authentication mode to HTTP Header.
    • For Authorization, paste the bearer token from Cloud Console.

    After setup, the Settings sidebar populates two new tabs: To App and To Okta. Since this is a one-way sync, To Okta will show Import Not Available.

  4. In the To App tab:

    • Click Edit under Provisioning to App.
    • Enable: Create Users, Update User Attributes, and Deactivate Users.
    • Do not enable Sync Password because SAML SSO handles authentication.
    • Click Save.

Assign users and groups

To complete the integration, you'll assign users to a group in your IdP, and then assign the group to your application. Finally, you'll test the integration by checking whether the users sync to Cloud Console.

  1. In Cloud Console, open the list of Users in your organization.

  2. Assign users to a group in Okta:

    • Go to Directory > Groups and click the name of a group.
    • With the People tab selected, click Assign people.
    • Click the + icon to add individuals to the group, and make sure to include the Org Admin.

  3. Assign the group to your application in Okta:

    • Go to Applications > Applications and click the name of your application.
    • On your application's Assignments tab, click the Assign dropdown, then click Assign to Groups.
    • Find the name of the group, then click Assign.
    • Click Save and go back, then click Done.
    • The name of that group appears in the assignments list for your application.

  4. In Cloud Console, refresh the page showing your Users list. The users in the group you just assigned in Okta appear immediately in Cloud Console.

Sync groups

Okta uses push groups that are configured to push group memberships to applications like Cloud Console, through a feature called Group Push. There are two ways to sync groups from Okta to Cloud Console:

  • Recommended path: Configure a regular Okta group for all the users you want to push to CoreWeave, along with all regular groups that you want to represent in Cloud Console. Then, configure push groups corresponding to any of the subgroups that you want to manage within CoreWeave, and only these subgroups would automatically sync with CoreWeave. That way, if you remove a user's group membership, it doesn't pull them out of the "all CoreWeave users" group.
  • Manual path: Don't make an "all CoreWeave users" group. Configure push groups corresponding 1:1 to every regular group, and then any changes you'd make, you have to manually "force sync" them in Okta.

Remove the Department attribute from attribute mappings

The Department attribute in Okta can prevent groups from syncing properly with CoreWeave IAM. Before syncing groups, remove this attribute from the attribute mappings:

  1. Navigate to your CoreWeave application in the Okta dashboard.
  2. Click on the Provisioning tab.
  3. Locate the Attribute Mapping section.
  4. Remove the Department attribute, and save your changes.

This adjustment removes the Department attribute from the attribute mapping used for syncing with CoreWeave, but does not change the attribute inside Okta itself.

  1. Configure a regular Okta group for all the users you want to push to CoreWeave.
  2. Configure regular Okta groups for all the subgroups that you want to represent in Cloud Console.
  3. For legacy CoreWeave IAM deployments, ensure that your selected Okta groups and subgroups are not named any of the default user groups, or for every push group with the same name as a default user group create a new user group with the appropriate default policies attached.
  4. Use Group Push to sync your Okta groups for all except the "all CoreWeave users" group.

Legacy default user groups

Legacy CoreWeave IAM deployments automatically provisioned a set of default user groups with specific policies attached. The policies attached to these groups were necessary for operating CoreWeave services. These legacy default user groups included:

  • admin
  • metrics
  • read
  • write
  • billing_viewer

When syncing groups with legacy CoreWeave IAM deployments with SCIM, you must resolve the naming conflict by either avoiding syncing push groups with these names, or for each push group with the same name as a default user group:

  • Create a new user group in CoreWeave IAM with a new preferred name.
  • Assign the policies attached to a default user group. For example, for an administration group use the policies attached to the admin group.
  • Delete the default user group prior to configuring a push group with the same name.
Last updated on